Cors is a node js package that adds a layer of 
security to your api/server and limit who can access 
it or limit who can access a certain route. 
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Installation 


This is a Node.js module available through the npm registry. Installation is done using 
the npm install command: 


Usage 

Simple Usage (Enable A// CORS Requests) 
var express = require('express' ) 

var cors = require('cors') 


var app = express() 
app.use(cors()) 


app.get('/products/:id', function (req, res, next) { 
res.json({msg: ‘This is CORS-enabled for all origins! '}) 
}) 


app.listen(80, function () { 
console. log('CORS-enabled web server listening on port 80') 


}) 


Enable CORS for a Single Route 
var express = require('express') 
var cors = require('cors') 


var app = express() 


app.get('/products/:id', cors(), function (req, res, next) { 
res.json({msg: ‘This is CORS-enabled for a Single Route'}) 
}) 


app.listen(80, function () { 
console.log('CORS-enabled web server listening on port 80') 


}) 


Configuring CORS 
var express = require('express') 
var cors = require('cors') 


var app = express() 


var corsOptions = { 
origin: ‘http://example.com', 


optionsSuccessStatus: 200 // some legacy browsers (IE11, various SmartTVs) choke 
on 204 


} 


app.get('/products/:id', cors(corsOptions), function (req, res, next) { 
res.json({msg: ‘This is CORS-enabled for only example.com.'}) 


}) 


app.listen(8@, function () { 
console.log('"CORS-enabled web server listening on port 80') 


}) 


Configuring CORS w/ Dynamic Origin 


This module supports validating the origin dynamically using a function provided to 
the origin option. This function will be passed a string that is the origin (or undefined if 
the request has no origin), and a callback with the signature callback(error, origin). 


The origin argument to the callback can be any value allowed for the origin option of the 
middleware, except a function. See the configuration options section for more information 
on all the possible value types. 


This function is designed to allow the dynamic loading of allowed origin(s) from a backing 
datasource, like a database. 

var express = require('express' ) 

var cors = require('cors') 


var app = express() 


var corsOptions = { 
origin: function (origin, callback) { 
// db.loadOrigins is an example call to load 
// a list of origins from a backing database 
db.loadOrigins(function (error, origins) { 
callback(error, origins) 


}) 


app.get('/products/:id', cors(corsOptions), function (req, res, next) { 
res.json({msg: ‘This is CORS-enabled for an allowed domain.'}) 


}) 


app.listen(8@, function () { 
console.log('CORS-enabled web server listening on port 80') 


}) 


Enabling CORS Pre-Flight 


Certain CORS requests are considered ‘complex’ and require an initial OPTIONS request 
(called the “pre-flight request”). An example of a ‘complex’ CORS request is one that uses an 
HTTP verb other than GET/HEAD/POST (such as DELETE) or that uses custom headers. To 
enable pre-flighting, you must add a new OPTIONS handler for the route you want to 
support: 


var express = require('express') 


var cors = require('cors') 


var app = express() 


app.options('/products/:id', cors()) // enable pre-flight request for DELETE 
request 


app.del('/products/:id', cors(), function (req, res, next) { 


}) 


res. json({msg: 


"This is CORS-enabled for all origins! '}) 


app.listen(80, function () { 


}) 


console. log('CORS-enabled web server listening on port 80') 


You can also enable pre-flight across-the-board like so: 


app.options('*', cors()) // include before other routes 


NOTE: When using this middleware as an application level middleware (for 
example, app.use (cors () )), pre-flight requests are already handled for all routes. 


Configuring CORS Asynchronously 


var 


express = require('express' ) 


var cors = require('cors') 


var 


var 


var 


app = express() 


allowlist = ['http://examplel.com', ‘http://example2.com' | 


corsOptionsDelegate = function (req, callback) { 


var corsOptions ; 


if (allowlist. 


corsOptions 


CORS response 


} 


} else { 


corsOptions 


} 


indexOf(req.header('Origin')) !== -1) { 


{ origin: true } // reflect (enable) the requested origin in the 


{ origin: false } // disable CORS for this request 


callback(null, corsOptions) // callback expects two parameters: error and 
options 


app.get('/products/:id', cors(corsOptionsDelegate), function (req, res, next) { 


}) 


res.json({msg: 


"This is CORS-enabled for an allowed domaïin."}) 


app.listen(80, function () { 


console.log('"CORS-enabled web server listening on port 80') 


}) 


Configuration Options 


e origin: Configures the Access-Control-Allow-Origin CORS header. Possible values: 

o Boolean - set origin to true to reflect the request origin, as defined 
by req. header ('Origin'), or set it to false to disable CORS. 

o String - set origin to a specific origin. For example if you set it 
to "http: //example.com" only requests from “http://example.com” will be 
allowed. 

o RegExp - set origin to a regular expression pattern which will be used to test 
the request origin. If it's a match, the request origin will be reflected. For 
example the pattern /example\.com$/ will reflect any request that is coming 
from an origin ending with “example.com”. 

o Array - set origin to an array of valid origins. Each origin can be a String or 
a RegExp. For example ["http://examplel.com", 

/\.example2\.com$/] will accept any request from “http://example1.com” 
or from a subdomain of “example2.com”. 

o Function - set origin to a function implementing some custom logic. The 
function takes the request origin as the first parameter and a callback (called 
as callback (err, origin), where origin is a non-function value of 
the origin option) as the second. 

e methods: Configures the Access-Control-Allow-Methods CORS header. Expects a 
comma-delimited string (ex: ‘GET,PUT,POST’ or an array (ex: ['GET', 'PUT', 
POSTI): 

e allowedHeaders: Configures the Access-Control-Allow-Headers CORS header. 
Expects a comma-delimited string (ex: ‘Content-Type,Authorization’) or an array 
(ex: ['Content-Type', 'Authorization']}). If not specified, defaults to reflecting 
the headers specified in the request's Access-Control-Request-Headers header. 

e exposedHeaders: Configures the Access-Control-Expose-Headers CORS header. 
Expects a comma-delimited string (ex: ‘Content-Range,x-Content-Range’) or an array 
(ex: ['Content-Range', 'X-Content-Range']). If not specified, no custom 
headers are exposed. 

e credentials: Configures the Access-Control-Allow-Credentials CORS header. Set 
to true to pass the header, otherwise it is omitted. 

e maxAge: Configures the Access-Control-Max-Age CORS header. Set to an integer to 
pass the header, otherwise it is omitted. 

e preflightContinue: Pass the CORS preflight response to the next handler. 

e optionsSuccessStatus: Provides a status code to use for 
successful OPTIONS requests, since some legacy browsers (IE11, various SmartTVs) 
choke on 204. 


The default configuration is the equivalent of: 


"origin": "*", 

"methods": "GET,HEAD, PUT, PATCH, POST,DELETE", 
"preflightContinue": false, 
"optionsSuccessStatus": 204 


